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We provide security bounds against coherent attacks for two families of quantum key distribution 
protocols that use d-dimensional quantum systems. In the asymptotic regime, both the secret key 
rate for fixed noise and the robustness to noise increase with d. The finite-key corrections are found 
to be almost insensitive to d < 20. 
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Introduction. - The field of quantum key distri- 
bution (QKD) comprises topics ranging from applied 
mathematics to technological developments [iMj]. In 
such a large field, it is normal that progress may not 
be homogeneous. Here we deal with a topic that was 
studied in detail a few years ago, then left aside, and 
is now coming back to the forefront: QKD protocols 
using systems of dimension larger than two (qudits). 

There is an obvious advantage in using high- 
dimensional alphabets for QKD: each signal carries 
log d > 1 bits, so a larger amount of information can 
be sent for a given transmission of the channel. More- 
over, the first studies indicated that the resistance to 
noise of the protocols increases when the dimension is 
increased, both for one-way d, @ and two-way post- 
processing ■ At the level of implementation, qudit 
encoding in photonic states has been demonstrated us- 
ing angular momentum modes [lo| or time-bins 11 1. 
However, at some point the interest of the community 
shifted towards different challenges, perceived as more 
urgent. As a consequence, both full security proofs and 
proper implementations of higher-dimensional proto- 
cols are still lacking. 

In this paper, we start filling the first gap. For a wide 
class of higher-dimensional protocols, we provide a se- 
curity bound against coherent attacks that takes into 
account finite- key effects. In the asymptotic limit, our 
bound vindicates the previous partial results concern- 
ing the higher resistance to noise. Moreover,we show 
that finite-key effects vary little with d. In this work, 
we assume that the signal is really a qudit; as such, 
our bounds cannot be immediately applied to imple- 
mentations: issues like a more accurate description of 
the optical signal [12| and the squashing property at 
detection [l^l need to be addressed in future research. 

The protocols. - We focus on two families of proto- 
cols, both introduced first in Q: two-basis protocols, 
the natural generalization of the Bennett-Brassard 
1984 protocol (BB84) for qubits and {d+l)-basis 



protocols, the generalization of the six-state protocol 
for qubits [HQ. 

A few reminders and notations first. The Weyl oper- 
ators, a generalization of the Pauli matrices for larger 
dimensions, are defined by Ujk = J^^Zo^^^ I* + j) {s\ 
for j,k e {0, l,...,d— 1} and oj is the d*^ root of 
unity. The generalized Bell basis states are \^jk) = 
EtZo |s s + j) = 1 U,k |$oo)- The state |$oo) = 
ks) is invariant under U (E) U* , where the star 
denotes complex conjugation in the computational ba- 
sis. 

The entanglement-based version of the protocols un- 
der study is as follows. Alice prepares |<i>oo) and sends 
one of the qudits to Bob. At measurement, Alice mea- 
sures in the eigenbasis of one of the Ujk chosen at ran- 
dom; Bob does similarly using one of the C/*^,. In the 
sifting phase, they keep only the items for which they 
used the same bases. The parameters that are esti- 
mated are the error vectors 



r (0) . 



(1) 



(d-i) 



} 



(1) 



where gj^^ — Prob(a — h ~ t mod d\j, k) is the proba- 
bility that Alice's outcome a and Bob's outcome h differ 
by t, modulo d, when the basis of Ujk was chosen by 



both. 



The probability of no error q^^^ = 1 — Yl'tZi Qjk 
appears in the vector for convenience. Even if we do 
not consider this here, note that one can sometimes 
obtain better estimates by checking the statistics of 
measurements in different bases as well 17, 18| . 

Now, there are d^ — 1 non-trivial Ujk, but some of the 
corresponding eigenbases carry redundant information. 
The most elegant choice consists in choosing a subset of 
these which are mutually unbiased bases (MUB). There 
are at least two and at most {d+ 1) such bases, which 
explains the choice of the two protocols. Specifically, 
for the two-basis protocol, we can choose Uio and Uqi . 
However, a subset of the Ujk only form a complete 
MUB set when d is prime. Our study of {d + l)-basis 
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protocols will be restricted to these dimensions, the 
choice of bases being the set {C/qi, C^ife : k G [0,d— 1]}. 

Security bounds: preliminary considerations. - We 
focus on security bounds for one-way post-processing 
without pre-processing. The information-theoretical 
formula for the secret key rate achievable against co- 
herent attacks is known and the same for all proto- 
cols; but the most general coherent attacks are defined 
by an infinite number of parameters, so the formula 
cannot be computed directly. For most protocols, one 
rather relies on the following fact (see Q for an ex- 
planation and the exceptions): the bound for coherent 
attacks is asymptotically the same as the one for col- 
lective attacks, which are defined by a small number of 
parameters. 

The two bounds, for coherent and collective attacks, 
are usually identical only asymptotically. The applica- 
tion of the same reduction to finite-key bounds requires 
an estimate of the difference. The exponential De 
Finetti theorem [l9| provides such an estimate, which 
is however far from tight and leads to exceedingly pes- 
simistic bounds. Among qubit protocols, much tighter 
estimates have been obtained for the BB84 and the six- 
state protocol, based on their high symmetries [2^ 21 1. 



basis is used for the key and is chosen almost always, 
while the other bases are chosen with negligible prob- 
ability and used to bound the eavesdropper's informa- 
tion [24]. With this argument, one removes the over- 
head due to the sifting factor ^ that would be present 
in a symmetric protocol. Here we choose the key-basis 
to be the one of Uqi. 

Eve's information is quantified by the Holevo bound 
X{A : E\pab) = S{pe) - Y.tZlp{a)S{pE\a) where the 
a's are the outcomes of Alice's measurement in the key- 
basis and where Eve is supposed to hold a purification 
of Pab- In particular, for the Bell-diagonal state ([5]) 
one has p{a) = Tr(p^n[,''i^) = i and S{pe) = H{X). In 
order to compute the S{pE\a)i one starts from a purifi- 
cation of p^s: Wabe = Ei.fc \Ajfe l*Jfc)Ai3 



'ABE 

where \ejk)^ is an arbitrary orthonormal basis for 
Eve's system. Bob's system is traced out, then Al- 
ice makes projections onto her part of the remaining 
system in the computational basis, leading to pE\a = 

^T^iPAE^oi)/Pi'^)- These matrices are found to have 
a block-diagonal structure with different eigenvectors 
but same eigenvalues, leading to S{pE\a) — ^(Iqi) ^'^^ 
all a. In summary. 



The obvious extension of the same argument applies 
for the protocols under study here. Indeed, first, the 
parameters q do not change if, before the measure- 
ment, Uj'k' is applied on Alice's qudit and simultane- 
ously U*,j^, is applied on Bob's qudit. This observation 
follows from [Ujk <E) U*^,Uj'k' (8 J7*,j,,] = 0, a conse- 
quence of UjkUj'k' = w*'-''"^'^ Uj'k'Ujk. Second, the 
generalized Bell states are the eigenstates of all the 
Ujk ^ Uji-- From there, one follows the same reasoning 
as in 

Pab is diagonal in the generalized Bell basis: 



X{A : E\\) = H{X) - H{q^ 



(5) 



For the [d -\- l)-basis protocols with d prime, the A 
are uniquely determined by the q through Eq. (jl]), 
so Eve's information is Ie = : ^'lA)- For the 

2-basis protocols. Eve's information must be taken as 
Ie = maxx(A : E\X) where the maximum is taken 
over all choices of A compatible with the observed error 
vectors q^^ and q^^. 



20|,l21[. So, it follows from this construction that To do this, we parameterize the As: 
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PAB= ^Jk\<i>jk){<^jk\ 

j,k=0 
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where feio ~ ^- For such a state, the link with 
the error vector is given by 

901 = X! ^^-^ ' ^ X! ^j'(f'O-t) mod d , (3) 

k=a j=o 

which are always valid at least for k = and valid for 
all k when d is prime. Equivalently, 



where J^k'^'j'^ ^ 1 Vj- From equation ([3]), q[*Q — 

J2j=o ^j,{d-t)- So, we have the set of constraints 

9io ~ J2'j=o I01 ■ To minimize Ie, for each t all 

a^p must be equal and equal to (/Jq. Then since 

HiX) = H{qJ + Et^lo^Hia,) and = q^^ Vt we 
have 



(7) 



Xjk 



(sj^k mod d) ^ ^U) _ ^ \ 



Asymptotic bounds. - For asymptotic bounds, one 
can assume without loss of generality that only one 



As a concrete a priori benchmark, we assume that 
the observation yields the natural generalization of the 
qubit depolarizing channel: 



i^kiQ) 



{l-Q,Q/{d-l),...,Q/{d-l)} (8) 
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d 


Q2-basis 


Q{d + l)-basis 


2 


11.00 


12.62 


3 


15.95 


19.14 


4 


18.93 


23.17 


5 


20.99 


25.94 


7 


23.72 


29.53 


11 


26.82 


33.36 



TABLE I: Value of Q at which Too ~ for 2-basis and 
{d + l)-basis protocols, assuming one-way post-processing 
without pre-processing. 



for all bases j, k observed in the protocol. In the case 

of {d + l)-basis protocols, this fixes Aoo = 1 — 

and all the others Xjk = Q/d{d — 1), leading finally to 



estimates using smooth Renyi entropies may fail with 
probability e. The security parameter is the total prob- 
ability of failure e = Eec + £pa + npE£pE + £, where 
npE is the number of parameters estimated in the pro- 
tocol (for simplicity, we assume the same error on all 
parameters). 

With all these notions in place, the lower bound for 
the secret key rate reads^ 



rN 



, min H(A\E) - H(A\B) 



-log 

n Sec 



--log — - (21ogd + 3) 
n epA 



log(2/e-) 
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^Q)( log(l - Q - ^) - log(i - Q) 



d2 



log(l-Q) -Qlog 



1 
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In the case of 2-basis protocols, 

Q 



lE{Q)^'Qlog- 



1 



(l-Q)log(l-Q) 



H{Q). 
(10) 

Note that the corresponding pab can be obtained 
from |$oo) by passing Bob's qudit through the op- 
timal asymmetric universal, resp. phase covariant, 
1^-2 doner [6|. The secret key fraction is given by 
Too = logd — H{Q) — Ie{Q)- The critical values of Q 
at which Too becomes zero are given in Table ID 

The result ([TU]) was already presented as Eq. (22) 
in as a lower bound. It was obtained by means of 
an entropic uncertainty relation developed by Hall Q . 
Strictly speaking, this relation involves the classical 
mutual information and as such cannot be used for 
security against collective attacks. However, the same 
relation was recently shown to hold for Holevo quanti- 
ties 2J, |25[ : so the bound derived using entropic un- 
certainty relations is ultimately correct, and is tight for 
the 2-basis protocols. 

Finite key bounds. ~ We consider now the realis- 
tic case where N < oo signals have been exchanged, 
following [2^ . In this case, all the steps of the pro- 
tocols have some probability of failure. For error cor- 
rection and privacy amplification, these probabilities 
are denoted by Sec and epA respectively; the estimate 
of any measured parameter V may fail with probabil- 
ity £pE and the law of large numbers implies that one 
has to consider a fluctuation AV = AV{epE)- In ad- 
dition to those, as mentioned above, the mathematical 



The origin of each term should be clear from the failure 
probabilities and has been discussed in detail in previ- 
ous work j26l . 27 [ ; we have not put any overhead on the 
efficiency of error correction. The term n/N describes 
the fact that only n < N signals can be devoted to 
create a key, because some signals must be used for pa- 
rameter estimation. We have min£;|v±AV ^^(^1-^') — 
log(d) — Ie', Ie is given by © or ([TU]), in which the 
are estimated by the worst case 



"true" values 
-,(*) - 



^ jk\oo 
jfc|oo 



values = q\jl\^ ± Ag]^,^ compatible with the fluc- 

tuations. Obviously, the worst case is defined by in- 
creasing the errors {t G {l,...,d— 1}) and decreasing 
'^jfc|m correspondingly in order to preserve the normal- 
ization of probabilities. 

Now, for each given value of N, e and Eec, one has to 
maximize rjv by the best choice of the other parameters 
of the protocol: here, the probabilities pjk of choosing 
each basis (supposed the same for Alice and Bob) and 
the failure probabilities. This is done numerically. For 
simplicity, we keep using only the basis Uqi for the key, 
so n = NpQi (we have checked that the improvement 
obtained by taking all the bases is rather negligible). 

A subtle difference with the qubit case appears in 
the treatment of statistical fluctuations. Consider the 
basis J, k and suppose that m — Np^f. signals have been 
measured in this basis by both Alice and Bob: the law 



^ In the final term of this expression, the factor (2 log d + 3) 
appears. Starting from [261 and propagating to other finite 
keys papers, this was mistakenly given as (2d + 3), which for 
qubits is 7, rather than 5 as it should be. Therefore this is an 
inconsequential change for qubits, but for higher dimensions 
however, the difference to the bound can be more significant. 
The origin of this term is explained in ^igj . 
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of large numbers provides the bound 



q ~q II =y lAg^fi | < ^(m,d) , 



t=0 



where ^{m,d) 



21n(l/ep£;) + 2dln(TO + l) 



(12) 



The only additional constraint is the normalization 
^^~Q Ag^^^i^ = 0. So, if d > 2, we cannot find a 



(t) 

k\m' 

it') 

'jk\i 



t S {1, d — 1}. In one 
carries all the fluctua- 



tight bound for each Aq^ 
extreme case, only one q 

tions, leading to Aq^^'*!^ = ^£^{m,d) 5t,t'] hi the other 
extreme case, all the fluctuations of the error values 
are identical i.e. Ag^^^|^ — 2[d-i) '^)- turns out 
that this last case provides slightly most conservative 
bounds, so the graphs are plotted for this case; we also 
checked that the brute bound Agj^^i^ — ^^{m,d) for 
all t is definitely too pessimistic. 

Having addressed these concerns, we are now able to 
run the numerical optimizations. Since we are provid- 
ing a priori estimates, we assume the observed error 
vectors to be q (Q) given in ([5]). Also, for the {d+ 1)- 

— jk 

basis case, we fixed pik — ^—§^- The results are shown 
in Figure [T] The dominant finite-key correction is the 
one due to the statistical fluctuations, which goes as 
^(to, d) ^ \fd rather than linearly in d: this explains 
why, for the dimensions we plotted, the critical value 
is always around TV ~ 10^. 

Conclusion. - We have provided security bounds 
against coherent attacks for QKD protocols that use 
higher-dimensional alphabets, that are valid in the 
non-asymptotic regime of finite-length keys. When 
choosing either the secret key rate or the robustness 
to noise as the figure of merit, this study confirms that 
higher-dimensional protocols perform better than the 
corresponding qubit protocols. 
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